This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
How to get OpenSSL to recognise an Active Directory CA...nobody
How to get OpenSSL to recognise an Active Directory CA

Version management

Difference between version and

At line 1 added 101 lines
!!! Overview
This is a [How To] get [OpenSSL] to recognize an [Microsoft Active Directory] CA [1]
!!Obtain the CA Certificate from AD
On your [Certificate Authority], export AD's public key.
#. Click Start -> Administrative Tools -> Certificate Authority to open the CA Microsoft Management Console (MMC) GUI.
#. Highlight the CA machine and right-click to select Properties for the CA.
#. From General menu, click View Certificate.
#. Select the Details view, and click the Copy to File... button on the lower right corner of the window.
#. Use the Certificate Export Wizard to save the CA certificate in a file. Note: Save the CA certificate in Base 64 Encoded Binary X-509 format.
!Transfer this file to the (linux) client.
You can just rename the file to .pem, since .pem just means "base 64 encoded x509 data"
If you don't have access to your forest's CA, you can still pull individual certificates directly over the network.
This script[2] will [obtain a Certificate from Server]:
{{{
#!/bin/sh
#
# usage: retrieve-cert.sh remote.host.name [port]
#
REMHOST=$1
REMPORT=${2:-443}
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
}}}
You’ll typically have to press Ctrl+C to close the script, since the remote server is probably waiting for some sort of input.
You might point this at a domain controller on port 636 (LDAPS://) to download a certificate.
!! Locate your certs directory
Info about what certificate authorities your system trusts are located in different places depending on the distribution.
You can always locate it with the command:
{{{
openssl version -a | grep OPENSSLDIR
}}}
Place the Certificate from your Windows machine in this directory.
!! Link the CA Certificate
[OpenSSL] computes a hash of the certificate in each file, and then uses that hash to quickly locate the proper certificate.
You can determine the hash (say for the file unityCA.cer.pem) with a command like:
{{{
openssl x509 -noout -hash -in unityCA.cer.pem
}}}
It is possible for more than one cerficate to have the same hash value. In such a case, a suffix of .0 to .9 is appended to make a unique link.
Here's a script[2] will create the proper links for [OpenSSL] to use your new certificate file.
{{{
#!/bin/sh
#
# usage: certlink.sh filename [filename ...]
for CERTFILE in $*; do
# make sure file exists and is a valid cert
test -f "$CERTFILE" || continue
HASH=$(openssl x509 -noout -hash -in "$CERTFILE")
test -n "$HASH" || continue
# use lowest available iterator for symlink
for ITER in 0 1 2 3 4 5 6 7 8 9; do
test -f "${HASH}.${ITER}" && continue
ln -s "$CERTFILE" "${HASH}.${ITER}"
test -L "${HASH}.${ITER}" && break
done
done
}}}
!! Testing with OpenLDAP
Configure your /etc/openldap/ldap.conf file with the info about locating your DA, and how to locate your certificates. In this example, the DC is dc00.unity.ad.ncsu.edu and the [OpenSSL] cerificates directory is /etc/pki/tls/certs
Note: be careful! On many distributions, there is also an /etc/ldap.conf, which controls the nss (name switch service) and pam (pluggable authentication modules). Unless you're using Winbind to login to your unix machine with AD accounts and passwords, this is likely to not be the file you want to disturb. :-)
{{{
# /etc/openldap/ldap.conf
uri ldaps://dc00.unity.ad.ncsu.edu
base dc=unity,dc=ad,dc=ncsu,dc=edu
tls_cacertdir /etc/pki/tls/certs
ssl on
}}}
[Microsoft Active Directory] Windows 2000 does not support [TLS] encryption, so you must use ssl on port 636.
Basic testing instructions and more background can be found at Microsoft Solution Guide for Windows Security and Directory Services for UNIX [1]
You can test basic anonymous reads with:
{{{
ldapsearch -x -s base -b "" "(objectclass=*)"
-x indicates a "simple bind" rather than SASL. Use -D and -W to specifiy dn and password if you wish.
-s base indicates a "base" ldap search, rather than "sub" or "one"
-b "" indicates the search base, null means root of ldap tree.
-h dc00.unity.ad.ncsu.edu indicates what host to query
}}}
THIS IS THE ONLY ANONYMOUS SEARCH THAT WILL SUCCEED.
By default, the [Microsoft Active Directory] does not allow Anonymous operations on the LDAP directory. However, the ldapsearch –x –s base –b "" "(objectclass=*)" command searches the [rootDSE], and this anonymous operation is permitted.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [http://techies.ncsu.edu/wiki/How_to_get_OpenSSL_to_recognise_an_Active_Directory_CA]
* [#2] - [http://www.madboa.com/geek/openssl/]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop